malwarewikiaorg-20200223-history
LeChucK
LeChucK (Also know as WORM_VB.FKO by Trend Micro) is a worm created on August 29 of 2007. Mainly attacking systems with Windows XP, it was commonly found in the peer-to-peer sharing program called Ares Galaxy, software created back in 2002. The name of the worm is based of one of the characters with the same name of the graphic adventure of the saga Monkey Island (The character appeared as a pirate zombie). The worm was also commonly found in MSN. This malware commonly attacked countries in Latin America. Payload The worm will drop copies of itself in these directories: %System%\cmd.com %System%\LeChucK.exe %System%\wins.exe %Windows%\regedit.com %Windows%\spolis.exe It drops the following non-malicious files/components: %System%\CC.dll %System%\LeChucK.hta %System%\zip32.dll The worm will always run itself at start-up using these registry keys: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%System%\wins.exe "%1" %*" HKEY_CLASSES_ROOT\cmdfile\shell\open\command (Default) = "%System%\wins.exe "%1" %*" HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%System%\wins.exe "%1" %*" HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%System%\wins.exe "%1" %*" HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%System%\wins.exe "%1" %*" This worm will also disable Task Manager, so the user can't end the process, the option using the Task Bar will appear blank and it will be un-clickable, it will also disable any anti-virus software, which makes the worm itself very hard to remove for an unexperienced user. HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System DisableRegistryTools = "1" (This disables any anti-virus software) HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System disabletaskmgr = "1" (This disables Task Manager) It will also infect any USB that is connected to the infected computer, the worm drops an AUTORUN.INF files which will contain the following code: OPEN=%windows%\Spolis.exe shell\open=Abrir (Note: Abrir is Open in Spanish) shell\open\Command=%windows%\Spolis.exe shell\open\Default=1 shell\explore=Explorar (Note: Explorar is exploring in Spanish) shell\explore\Command=%windows%\Spolis.exe It will drop compressed copies of itself (In ZIP files), many of these files are in Spanish, which could mean the origin of the worm was in a Spanish/Hispanic country, this could explain why most of the infections were in these type of countries. You can also find these files in Ares Galaxy. They will be dropped in %ProgramFiles%\ICQ\Shared files folder. The following files have the name of: 7-Zip 4.43.Zip ACDSee 2.4.4.Zip ACDSee Photo Manager.Zip Acrobat Reader 7.0.Zip Acrobat Reader 8.0 New.Zip Ad-Aware 2007.PRO 7.0.1.6 Full.Zip Adobe Acrobat Profesional 8.0.Zip Adobe Audition 2.0 KEYGEN.Zip adobe audition.Zip Agnitum Outpost Firewall Pro 4.0.Zip Aida 32.Zip AIDA32.Zip amv convert tool.Zip Anonymous Surfing 7.3.Zip AntiVir Personal 6.32.Zip AnyDVD 6.1.3.6.Zip Apariencia Windows Vista para XP.Zip Ardamax Keylogger.Zip Ares Lite 2.4.Zip Ashampoo Firewall 1.01.Zip Ashampoo WinOptimizer.Zip Aspak 2.12.Zip Audacity.Zip Autocad Full Español.Zip Avast Antivirus.Zip AVG Anti-Spyware 7.5 Español.Zip Batlefield 1942 Keygen.Zip BearShare v7.8 Installer.Zip BitComet.Zip BitDefender 7 Español.Zip BitTorrent 4.26.0.Zip Cartoonist.Zip Ciber Boss 4.2.Zip CiberBoss 4.2.Zip ClamWin 0.88.2.3.Zip Cleaner v1.39.Zip Clone CD 5.2 Installer.Zip CloneCD v4.3.2.2.Zip CloneDVD.Zip Counter Strike 3 Install Online.Zip Crear Virus en ASM.Zip Crystal Player 1.9 FREE New.Zip CuteFTP 6.5 Installe.Zip CuteFTP.Zip DAEMON Tools Pro.Zip DeepFreezer.Zip DirectX 9.0 c.Zip Disk Cleaner.Zip Divx v9.4 beta 2004 version.Zip Download Acelerator Plus 8.3 Installer.Zip Dr. Abuse 6.10.Zip Dr. Web Install Online.Zip Dreamweaver 8 Español.Zip Easy CD-DA Extractor.Zip Easy Gif Animator Crack All Version.Zip Easy Gif Animator.Zip Emoticones para Windows Live Messenger.Zip Empire Earth 2 Crack.Zip Emulador PS2 y PS3!.Zip eMule 4 Installer.Zip Encarta 2007.Zip ePSXe 3.6.0.Zip Everest Ultimate Edition 2006.Zip EVEREST Ultimate Edition.Zip Ewido freeware version.Zip Exploit para IE 7.Zip Fifa 2004 Keygen.Zip Firefox Setup 4.5.exe.Zip Flash 8 En Español.Zip FlashGet 1.72.128.Zip FlashGet.Zip Fortinet Install.Zip FrontPage 2007.Zip Google Earth Pro.Zip Google Earth.Zip GTA 4 Vice City 2 New.Zip Gta San Andreas Crack.Zip Hacer Windows XP Original.Zip Hacha PRO.Zip Halo 2 Crack.Zip HDD Regenerator 1.51.Zip Hide IP Platinum.Zip HP Photosmart Install.Zip Icecold Reloaded.Zip ICQ Lite Ultima Version.Zip Idoser all drugs.Zip iMesh v 4.8 Installer.Zip Internet Explorer 7.Zip iTunes 7.3.2.Zip iTunes.Zip Kaspersky Internet Security 6.0.2.621.Zip Kaspersky.Zip Kazaa Deluxe 2004.Zip KazaA Download Accelerator v2.0.Zip KillBox 2.0.0.648 .Zip Lavasoft Ad-Aware 8.Zip LeChucK.Zip LimeWire Lite Deluxe Installer.Zip Limewire Portable.Zip LimeWire Pro.Zip Macromedia Dreamweaver MX.Zip Macromedia Flash MX.Zip Macromedia Flash Player.Zip McAfee Internet Security Suite 2007.Zip McAfee Virus Scan.Zip Media Player 11 Crackeado.Zip Mess Patch.Zip Messenger Plus.Zip MessengerDiscovery.Zip Microsoft defender.Zip Mindsoft Utilities.Zip mIRC 6.20.Zip MIRC62.Zip Mobile Phone Tools.Zip Monkey Island I.Zip Monkey Island II.Zip Motorola Software.Zip Mozilla Firefox.Zip Mozilla Thunderbird.Zip Msjavx86(Java).Zip MSN Multisesion.Zip MSN Plus 9.Zip MSN Poligamy.Zip My Drivers 3.22.Zip MySQL Español-English.Zip Need For Speed Underground 2 Crack.Zip Nero Burning Rom.Zip Nero Burning v7.3 Crack.Zip NOD32 2.7 Español.Zip Nod32 2.7.Zip NOD32 Crack.Zip Norton antivirus 2007.Zip Norton Ghost 10 Español.Zip Norton ghost.Zip Norton Partition Magic 8.05.Zip NTI cd-maker.Zip OpenOffice.Zip Opera 9.Zip Paint Shop Pro CRACK.Zip Panda Internet Security 2007.Zip Parche Español para Winamp.Zip Parche Need For Speed Underground.Zip Partition Magic 8.0 CRACK.Zip Partition Magic 8.0.Zip Perfect Keylogger v1.535.Zip Petite 23 Compresor.Zip Photoshop CS3 Crack.Zip Photoshop CS3 Traduccion.Zip photoshop.Zip PHP Nuke.Zip Pokemon 2007 Español.Zip QuickTime Pro 7.1.3.100.Zip Rainbow Six 4 Keygen.Zip real player.Zip RealPlayer 8.Zip ResHacker.Zip Simpson Hit & Run Crack.Zip Sims City 2006 Keygen.Zip Sin Espias.Zip Skype New Version.Zip SmartFTP.Zip SoulSeek v5.6 Installer.Zip Soulseek.Zip Spiderman MultiCrack.Zip Spybot - Search & Destroy.Zip Spyware Doctor .Zip Sudoku 3D.Zip System Mechanic Professional.Zip Terminator 4 Keygen.Zip The hacker Antivirus.Zip The Sims 2 Keygen.Zip Tiny Personal Firewall 6.5.126.Zip Titan Poker.Zip Total Commander.Zip Trojan Remover.Zip TuneUp Utilities 2007 Crack.Zip UltraEdit-32 Profesional 11.0.Zip Unlocker Ultimate Version.Zip UPX 3.Zip UserBar Generator.Zip VIRTUALJ3.1.Zip Vista Inspirat.Zip VistaMizer.Zip Visual Basic 8.Zip VoipStunt.Zip Warcraft 4 Keygen.Zip WinAce 2.65.Zip Winamp 5 5.32.Zip Winamp 5.35 Pro.Zip Winamp v8.1.Zip WinAVI.Zip Windows Live Messenger 8.5 BETA.Zip Windows Live Messenger 8.5.Zip Windows Media 11 Crack.Zip Windows Media player 11.Zip Windows Vista Activacion.Zip WindowsBlinds 5.5.Zip WinMX 5.1 New.Zip Winrar 3.51.Zip Winrar 3.62 Final Español.Zip Winrar 7.4 Version Beta.Zip Winzip 10.0.Zip WinZip 11.Zip Winzip 12 Beta.Zip Yahoo Messenger v7.9.Zip Yahoo Messenger.Zip Your Uninstaller Pro.Zip YouTube Catcher.Zip YouTube Spider.Zip ZoneAlarm 6.5.731.000.Zip It will also access the following websites to download more files, like troyans (Just like a Backdoor) This worm accesses the following Web sites to download files: http://{BLOCKED}.eresmas.com/espana.starmedia.com/gratisweb http://www.{BLOCKED}tadorgratis.es/count.php http://www.{BLOCKED}smas.com/js/logs_sm.js http://www.{BLOCKED}tisweb.com/mowpax/contador.htm After the worm does all of this, trying to get rid-off the worm is very hard if the user didn't had any anti-virus beforehand, since the worm has a Keylogger that prevents the user for searching these words: lechuck virus antivirus It will also prevent the user to search any anti-virus name, any attempt of doing such action will make the worm close the browser. The worm also prevents the user of opening any anti-virus installer or software, any attempt of doing it will make the worm delete the file and also the file not executing. It can also make the executable an non-valid Win32 application. If the user has MSN, and enters it, it will show the sprite of LeChuck from Monkey Island with a message. If the user enters My Documents the following message will appear in the title card of the window and then close the file explorer: "WIN32 LECHUCK IS HERE" References https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_vb.fko Category:Microsoft Windows Category:Win32 Category:Worm Category:Win32 worm Category:Trojan Category:Win32 trojan